Admidio SQL Injection Vulnerability in Member Assignment Functionality

A SQL injection vulnerability allowing authenticated users to execute arbitrary SQL commands has been identified in Admidio versions prior to 4.3.17. This vulnerability exists in the member assignment data retrieval feature, specifically within the 'adm_program/modules/groups-roles/members_assignment_data.php' file. The issue arises because the 'filter_rol_uuid' GET parameter is not properly sanitized before being used in a SQL query. As a result, an attacker could manipulate this parameter to inject malicious SQL, potentially leading to a complete compromise of the application's database, including unauthorized access to, modification of, or deletion of data.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, with the potential to execute arbitrary SQL commands. This could lead to a full compromise of the application's database, allowing an attacker to read, modify, or delete any data.

Reproduction

To reproduce this vulnerability, an authenticated user with role assignment permissions can manipulate the 'filter_rol_uuid' parameter in the AJAX request to the 'members_assignment_data.php' script. Intercepting this request with a web proxy and replaying it with 'sqlmap' can demonstrate the SQL injection vulnerability. 'sqlmap' will successfully exploit the vulnerability, confirming its existence and allowing the attacker to execute arbitrary SQL commands.

Remediation

Users are advised to update Admidio to version 4.3.17 or later, where this vulnerability has been patched.